Google Workspace has a vulnerability that could allow disgruntled former employees and other threat actors to access and copy private company files held on the cloud, analysis of fresh research by Mitiga suggests.
“By default, every Google Drive user starts by possessing a ‘Cloud Identity Free’ license,” researchers at Mitiga explained. “To get more features, an admin must assign a paid license [...] to their users.”
Should a paid license such as Google Workspace Enterprise Plus be assigned, all well and good. The employee has visibility into a company’s Google Drive resources through the “Drive log events” function, but any actions they take to copy, delete or download files, or share them with an external party will be monitored and recorded.
Where things get potentially risky is if said paid license is not issued or revoked, for instance in the case of an “offboarded” employee whose contract has been terminated.
“When an employee is leaving the company and their license gets removed before actually disabling or removing the employee as a Google user, the employee can potentially download internal files from its private drive without any notice.”
This could in theory allow someone who feels they have been unfairly treated by an employer to become an insider threat — essentially a disgruntled former employee who decides to leak vital data in a revenge attack.
“Without a paid license, users can still have access to a shared drive as viewers,” said Mitiga. “A user or a threat actor can copy all the files from the shared drive to their private drive and download them.”
Two types of log record exist for copying files to and from Google Drive: “source_copy” and “copy.” Workers who do not have a paid license can create only the former type of record when they access an organization’s cloud storage. This gives potential threat actors the opportunity to cover their tracks after stealing valuable data.
“There are no logs of the download actions from the user private drive at all,” said Mitiga. “So, if the company checks only for ‘copy’ events and not also ‘source_copy’ for data theft [and] the copying is done by a user with an unpaid license they will miss the exfiltration detection.”
Mitiga further claims that its attempts to notify Google of the blindspot have fallen on deaf ears, a response the cybersecurity analyst implies is all too typical of the tech giant in such cases.
“We have contacted Google’s security team but have not yet received an official response to include it in this advisory,” said Mitiga. “Based on earlier advisories, Google’s security team typically does not recognize forensics deficiencies as a security problem.”
More from Cybernews:
Subscribe to our newsletter